Office 365: Encryption and control

[Note: this is partially an advertisement, but very informative text on general Office365, encryption and control. It shows the kind of a compliance required by high risk environments, achievable by using third party products and Office365 as a platform]

When collaboration moves to the cloud, security policy and controls must move into the documents themselves

When a Microsoft product becomes one of the fastest-growing SaaS applications in the enterprise, we’re long past the inflection point of public clouds as the de facto architecture in the enterprise. With billions of files and terabytes of data created outside of the firewall every year, it’s clear we need to rethink our approach to security for the modern business. This rapid growth is no speculation, thanks to an estimated 3.2 million Office 365 users added this last quarter, to an already massive population of more than 50 million paying business users.

To improve data security in the cloud, we need to make certain fundamental architectural assumptions and design decisions. When perimeter and endpoint defenses are only effective at controlling data generated by last-generation users and last-generation technology, the enterprise needs a new, more data-centric approach. We must assume that the firewall is permeable and we cannot possibly lock down every endpoint loosely connected to our networks. Instead, we must attach security directly to the file, with centralized management of policy, permissions, and tracking capabilities.

To illustrate how this approach can be effective in a more practical model, let’s consider what’s necessary to effectively protect against data loss, drive user adoption and compliance, and respond effectively to a suspected breach in an organization considering Office 365.

Confidentiality at the point of creation

In such an environment, the best way to protect the confidentiality and privacy of proprietary enterprise content is to apply security, policy, and controls at the moment a file is created or shared. In the Office 365 model, this requires a solution that can identify and capture this data across multiple platforms and stages of its lifecycle.

There are three key moments when a security solution needs to insert itself in Office:

When a file is first saved to the desktop or OneDrive for Business

When a file is attached to an email

When a user shares from the file menu

By capturing files at these three points and applying encryption, access permissions, and usage restrictions directly to the document, organizations can be confident they will always control the data, no matter where or how it is transmitted.

Drive adoption and compliance

In any organization, the effectiveness of a given security technology is directly proportional to the rate of adoption and compliance among users. This has several implications. Notably, for a solution to achieve a critical mass of adoption, four requirements must be met:

It must allow for the automatic protection of data through the application of “smart defaults”

It must be accessible from any endpoint, whether the device itself is trusted or not

It must enhance, but not disrupt, user workflows

Finally, it must be intuitive (and often invisible) to users inside and outside of the system

Within Office 365, this means security must be integrated seamlessly into all of the normal operations of the system, wherever content is created and accessed. When the average employee sends and receives an average of 29,000 emails a year, the smallest amount of friction will create a barrier to adoption. Reducing friction at every step is the key to establishing consistent security coverage and compliance across a set of Office users.

Ensure authenticity and accountability through visibility

The great benefit of cloud-based applications for users is the unfettered access to information and productivity. The challenge for IT and security professionals is that this flexibility is often invoked from untrusted devices and networks. In the past, companies have tried to address this problem of access and control with DRM embedded directly into the document. Unfortunately, this approach only works when the document remains in a controlled system. With a cloud-based architecture and anywhere access, the likelihood that a file arrives on an untrusted device multiplies exponentially.

Given the meteoric rise of Office 365, security vendors and practitioners alike are jumping at the chance to further secure this ecosystem with solutions that meet the standards listed above. One company, Vera, offers a solution that enables people to secure and track any file on any device, and it works seamlessly with Office 365 to protect documents, presentations, videos, and images anywhere they travel for as long as they live.

The Vera solution

There are three components to the Vera solution that enable this seamless integration:

A client application that runs natively on Windows, OS X, iOS, and Android

A secure cloud service to manage permissions and policies

A centralized dashboard for visibility and monitoring of content

Through these three components, Vera can secure almost any kind of file, controlling granular permissions including copy/paste, printing, and even adding dynamic watermarks (including watermarks that display dynamic data, such as the current time or the user’s name). The benefit of this approach is that no matter where information is stored or how it is sent, we can dynamically update access permissions or policy definitions, or revoke access entirely.

Vera integrates with Outlook and Apple Mail, allowing users to protect attachments and apply policies directly from an email.

Each document secured with Vera is encrypted (using AES-256) with a unique key that is stored within the Vera cloud platform. These keys are transmitted securely via TLS/SSL to the clients. No keys are stored locally on the endpoint unless the policy owner specifically grants that privilege for offline or time-bound access. In addition to the encryption keys, the Vera cloud stores the policy definitions and activity logs. But a key tenet of the Vera security model is that our platform never stores customer content or application data in any way.

Vera tracks and logs all file and user activity including the location of the client when the file was accessed.

To decrypt and access a protected file, the Vera client sends a request to the Vera cloud, which matches the request against the user permissions and policy restrictions for the document. All access information including time, identity, action, and location is logged for monitoring and auditing. For access to secured documents away from a trusted device, Vera provides a Web-based document viewer that supports read-only access to the content.

Working with Vera

For any user, securing a file within Office 365 is easy. On a Mac or a PC, data can be secured in-place with a right-click, protected when email attachments are created, or even when files are created from Save As. Now that the document is secured, it’s ready to be shared. As a bonus, the sender can keep track of who has looked at the file, and if it has been forwarded anywhere else. Another right-click opens the Web-based Vera dashboard, where users can see who has accessed their files, for how long, and from where.

From the Vera dashboard, file owners can view all activity and revoke access if necessary.

From the Vera dashboard, an administrator can set and update policies, oversee users, run audit reports, and view all files secured by Vera. The dashboard provides full visibility into your business and aggregates data in a simple, powerful interface. The dashboard also allows the centralized management of data policies and application of rules to apply policies to every email attachment your company sends. This critical capability allows an administrator to instantly revoke access or adjust permissions to files that have already left the organization’s control. Even better, an IT administrator will be able to track where those attachments travel, anywhere in the world.

With Vera’s centralized approach to reporting, auditing and policy updates, an information security professional can see all activity around their organization’s files, even those that have left the traditional border of control. Think about how much easier breach detection, incident response, and root cause analysis can be when any document can be identified and updated, no matter where it is stored.

What’s exciting to me is the technology behind Vera that allows these users to save and share protected files directly to SharePoint or OneDrive for Business and instantly revoke access to files from Web, desktop, and mobile. There is a lot of momentum around securing these critical apps. Symantec offers integrated eDiscovery and Archival for Office 365, and Imperva helps protect the connections from devices to Office.com cloud apps. There will undoubtedly be plenty more to follow as the security industry works to fortify the data flowing across the productivity and collaboration ecosystem.

Prakash Linga is the co-founder & CTO of Vera, a data security firm based in Palo Alto, Calif.